[Gta04-owner] There's not only Linux out there

Glenn glenn.mh.dk at gmail.com
Fri Oct 21 20:13:48 CEST 2011


On 21/10/11 00.17, Martin Christian wrote:
> Hi,
>
>
>    
...
> It's not that I don't like Linux. It's a great desktop OS. But I think
> mobile devices require something more secure.
>
>
>    
...
> Regards,
>
> Martin.
> _______________________________________________
> Gta04-owner mailing list
> Gta04-owner at goldelico.com
> http://lists.goldelico.com/mailman/listinfo/gta04-owner
>    
Hi Martin

I fully agree - see:

http://en.wikipedia.org/wiki/Grsecurity
Quote: "...
O(1) time efficiency for most operations
..."

Includes:
* PaX

Linux-VServer can be used with PaX:
http://linux-vserver.org/Welcome_to_Linux-VServer.org
Quote: "...
Linux-VServer provides virtualization for GNU/Linux systems. This is 
accomplished by kernel level isolation. It allows to run multiple 
virtual units at once. Those units are sufficiently isolated to 
guarantee the required security, but utilize available resources 
efficiently, as they run on the same kernel.
..."

http://en.wikipedia.org/wiki/PaX
Quote: "...
PaX offers executable space protection, using (or emulating in operating 
system software) the functionality of an NX bit (i.e., built-in CPU/MMU 
support for memory contents execution privilege tagging). It also 
provides address space layout randomization to defeat ret2libc attacks 
and all other attacks relying on known structure of a program's virtual 
memory.
..."

May 17th, 2007 Linux Virtualization = Linux-VServer:
http://www.utahsysadmin.com/2007/05/17/linux-virtualization-linux-vserver-xen/
Qoute: "...
Linux Vserver, on the other hand is only useful for having multiple 
Linux-based servers that have the same kernel. This is much more 
efficient, because each host server doesn't have the extra overhead of 
an entire kernel. But it does have some limitations. You obviously can't 
run a Windows server under a Linux Vserver host. The versions I've 
worked on also have some limitations with iptables and quotas (Although 
some of these may be fixed in recent versions).
...
On the plus side, for Linux-Vserver, I've heard that the One Laptop Per 
Child (OLPC) project is using it as part of their security model. They 
are using it so that each application runs in its own virtual server and 
can't disrupt other applications.
..."

2007-11-06 Interview: Linux-VServer Project Leader Herbert Pötzl:
http://www.montanalinux.org/linux-vserver-interview.html
Quote: "...
Bertl: Linux-VServer is an isolation technique in concept very similar 
to BSD Jails or Solaris Containers, which allows multiple Linux 
environments to run on a single kernel side by side, with no measurable 
overhead.
...
The idea was quite simple, but the implementation took a long time to 
get perfected. Today we not only have Unification, but also Copy on 
Write (CoW) Link Breaking.
...
As far as I know, the following distributions have some kind of 
Linux-VServer package/option available:
* ALT Linux, Arch Linux, Debian, Fedora, Gentoo, Knoppix, Mandriva, PLD 
Linux, Rock Linux, Slackware, T2, and Ubuntu
...
Large Deployments are definitely PlanetLab and Lycos Europe, but I also 
heard rumors about Cisco and other larger companies. As we do not 
require any registration to use the software, there is no real way to 
tell, and personally, I do not care that much about the numbers.
...
Bertl: Linux-VServer drastically increases security if used properly, so 
yes, that is actually one of the main usage scenarios of Linux-VServer, 
although most folks will consider hosting and server consolidation the 
primary area of application.
...
Bertl: chroot(), contrary to common belief, is not a security mechanism 
per se, it just changes the view of a process.
...
Bertl: Yes, at least one person is actively using Xen and Linux-VServer 
together, but I guess there are more out there, especially as Xen and 
Linux-VServer go nicely side by side complementing each other, you won't 
use a fork when you need a spoon and vice versa.
...
[Comments]
...
I've been "playing" with vserver for years (is it that long) now and 
finally had the opportunity to deploy it in my datacenter earlier this 
year when we consolidated our Athlon 2800 servers onto quad-core Opterons.

In addition to saving a ton of space. money and pain it made one 
specific thing very easy... Cleaning up after a comprimise.

The systems we migrated were RHEL AS 2.1 systems (RHEL 5 was in beta) 
and brought with them a TON of security holes. It wasn't too long 
afterwards that we noticed one of the servers had been cracked. 
Normally, you can't trust your own tools when that happens, but due to 
the added layer of protection, I was able to easily use the host 
system's tools to replace the rooted utilities to get my servers 
functional ASAP.
..."

-

Bitfrost: the One Laptop per Child Security Model:
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.134.123&rep=rep1&type=pdf
Quote: "...
To this end, we have designed and are implementing Bitfrost, a security 
platform for the children's laptop that borrows from many recent 
developments in the field of usable security (HCI-SEC). Freed from the 
requirement to support legacy software, we believe that we have created 
a system that may allow children to learn and experiment with advanced 
technology without falling prey to those who would harm them or their 
machines.
...
The laptop is based on an AMD Geode LX-700 processor running at 433 MHz. 
It has a 7.5-inch screen that can operate in either a medium resolution 
color or high resolution black and white mode, a wireless mesh network, 
camera that supports video, a microphone, and three USB ports. There is 
256 MB of RAM
...
We have seen many security systems fail or become unusable because of 
their inability to address the identification and authentication of 
manufacturers, publishers, and users.
...
Once the kernel boots, the P_SF_RUN runtime protection system takes 
over. As mentioned above, this system is based on VServer, a lightweight 
Linux virtualization system that has been widely used at shared hosting 
Internet service providers
..."

http://en.wikipedia.org/wiki/Bitfrost

Squeak for the kids! Use Linux-vserver power before giving your Neo to a 
kid (or someone else) Re: Idea for OpenMoko: Kid Mode:
http://www.mail-archive.com/community@lists.openmoko.org/msg02112.html

br,

Glenn

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.goldelico.com/pipermail/gta04-owner/attachments/20111021/8eda1218/attachment.html>


More information about the Gta04-owner mailing list